Information Security Plan

Information Security Plan

Overview

This Information Security Plan describes the safeguards implemented by Davidson College to protect confidential data. The goal of the program is to ensure the security of these assets in an effort to support the academic mission and culture of Davidson College. These safeguards are provided to:

  1. ensure the security and confidentiality of all information assets including confidential and nonpublic data,
  2. protect against any anticipated threats or hazards to the security of such assets, and
  3. protect against unauthorized access or use of such assets in ways that could result in substantial harm or inconvenience to customers.

Confidential Data

Within Davidson College’s Data Security Policy, “confidential data” is defined as data protected by federal and state regulations and are intended for use only by individuals who require that information in the course of performing their college functions. For these purposes, confidential data refers to, but is not limited to, financial information, academic and employment information, and other private paper and electronic records.

Davidson College works to maintain a secure environment by using technical and administrative controls to protect data while stored, in use, and in transit. Data that is considered confidential per the Data Security Policy that is stored in T&I managed systems of record or confidential data file shares will be managed per the Confidential Data Retention Guidelines to support Davidson’s Information Security Plan and comply with applicable laws or regulations. Email infosec@davidson.edu for more information.

Change Management

Change management typically requires documentation, peer review and approval and/or approval by T&I leadership. Normal and Emergency changes that have an impact on service require completion of change approval through this documented change process. Standing changes and most operational work do not require approval and are considered pre-approved. Items may be approved as standing changes after completing an initial change management process for that specific work type. Work approved as standing changes and operational work use an abbreviated change process to communicate and document the change. Consult T&I's Change Approval Requirements (Davidson login required) for more information.

Designation of Representatives

The Institution’s Information Security Analyst is designated as the Program Coordinator who shall be responsible for coordinating and overseeing the program. The Program Coordinator may designate other representatives of the Institution to oversee and coordinate particular elements of the program. (For instance, the Director of Public Safety/Chief of Police has been designated as the coordinator for all paper records and physical security.) Any questions regarding the implementation of the program or the interpretation of this document should be directed to the Program Coordinator or his or her designees. 

Executive Report

The Information Security Program Manager will provide an annual written report to the CIO, Director of Finance & Administration and the Board of Trustees.  At a minimum the report will include:

  1. Appropriate metrics to illustrate the state of the security profile
  2. Major Security Incidents overview and remediation
  3. Program Initiative Status
  4. Recommended & Planned Initiatives

Risk Identification and Assessment

Davidson College identifies and assesses external and internal risks to the security and confidentiality of confidential data that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and assess the sufficiency of the safeguards in place to control these risks by:

  1. performing a risk assessment annually that rotates from an external vendor performed risk assessment to an internal assessment,
  2. performing annual penetration testing that rotates from an external vendor performed test to an internally performed test,
  3. performing monthly vulnerability assessments and as deemed necessary  due to material changes to operations or business arrangements or other circumstances with a material impact to the information security program. 
  4. monitoring of safeguards put in place to detect and identify potential threats, and
  5. monitoring advisory groups such as SANS, REN-ISAC, EDUCAUSE, and others to keep up to date on any new threats that may develop.

Davidson College identifies and assesses risk in relevant areas, including:

  1. employee training and management,
  2. information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
  3. detecting, preventing and responding to attacks, intrusions, or other systems failures. 

Safeguards

The designated Program Coordinator will regularly monitor administrative, technical, and physical safeguards to control the risks identified through such assessments described above and to regularly test or otherwise monitor the effectiveness of such safeguards. The Technology & Innovation (T&I) division of the College designs and implements safeguards in areas highlighted by the aforementioned assessments. An internal T&I document outlines Davidson College’s procedure for implementing and assessing these safeguards. 

Service Providers

Davidson College will, upon hiring or contracting third party service providers, ensure that they take similar steps to protect confidential data as outlined above. T&I has an internal document that states the security requirements current or potential providers must adhere to in order to protect Davidson’s confidential data. Additionally, Davidson College has a documented process for evaluating IT service providers including firms that host Davidson data or provide software as a service (SaaS) or similar solutions. 

Training Program

The awareness and training program will occur on a regular basis and will be reviewed annually and updated as needed to address new technologies, threats, standards, and Davidson requirements. Where applicable, role-based training will be implemented to target specific vulnerabilities within the execution of a respective role.

Cybersecurity awareness training is required for all employees with Davidson credentials. Content and frequency will meet or exceed regulatory requirements. PCI training requirements are driven by roles within the College. View T&I's User Awareness & Training Program documentation (Davidson login required) for more information.

Adjustments to Program

The designated Program Coordinator is responsible for adjusting and reevaluating the plan as regular risk assessment occurs or as major changes occur that may significantly impact Davidson’s operations. The designated Program Coordinator will revisit this plan at least annually to ensure it is reflective of Davidson’s practices and adherence to regulatory requirements.